No Remote-User variable

[alex-dot]

I am trying to configure shibboleth through nginx but am currently stuck at not getting the Remote-User variable displayed. I am currently releasing two attributes one of which is mail which I have defined to be assigned as REMOTE_USER:

    <ApplicationDefaults entityID="http://[ip]/shibboleth"
                     REMOTE_USER="mail">

But when checking on the shibboleth-secured site, I do not see the variable. This is all I get:

Array
(
    [HTTP_HOST] => [ip]:8081
    [HTTP_CONNECTION] => close
    [HTTP_CACHE_CONTROL] => max-age=0
    [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    [HTTP_UPGRADE_INSECURE_REQUESTS] => 1
    [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
    [HTTP_DNT] => 1
    [HTTP_REFERER] => http://[ip]/idp/profile/SAML2/Redirect/SSO?execution=e2s1
    [HTTP_ACCEPT_ENCODING] => gzip, deflate, sdch
    [HTTP_ACCEPT_LANGUAGE] => de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
    [HTTP_COOKIE] => _shibsession_64656661756c74687474703a2f2f3134392e3230352e35362e33362f73686962626f6c657468=_0241fd63f0d8eb035c508103d7b341aa
    [HTTP_SHIB_APPLICATION_ID] => default
    [HTTP_SHIB_AUTHENTICATION_INSTANT] => 2016-03-08T11:27:30.375Z
    [HTTP_SHIB_AUTHENTICATION_METHOD] => urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    [HTTP_SHIB_AUTHNCONTEXT_CLASS] => urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    [HTTP_SHIB_IDENTITY_PROVIDER] => http://[ip]/idp/shibboleth
    [HTTP_SHIB_SESSION_ID] => _0241fd63f0d8eb035c508103d7b341aa
    [HTTP_SHIB_SESSION_INDEX] => _ce12a785b5c15703d73c747ce477bbc3
    [HTTP_MAIL] => mail@address.com
    [PATH] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    [SERVER_SIGNATURE] => Apache/2.4.10 (Debian) Server at [ip] Port 8081
    [SERVER_SOFTWARE] => Apache/2.4.10 (Debian)
    [SERVER_NAME] => [ip]
    [SERVER_ADDR] => [ip]
    [SERVER_PORT] => 8081
    [REMOTE_ADDR] => [ip]
    [DOCUMENT_ROOT] => /var/www/sp
    [REQUEST_SCHEME] => http
    [CONTEXT_PREFIX] => 
    [CONTEXT_DOCUMENT_ROOT] => /var/www/sp
    [SERVER_ADMIN] => [no address given]
    [SCRIPT_FILENAME] => /var/www/sp/secure-all/index.php
    [REMOTE_PORT] => 59936
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_PROTOCOL] => HTTP/1.0
    [REQUEST_METHOD] => GET
    [QUERY_STRING] => 
    [REQUEST_URI] => /secure-all/
    [SCRIPT_NAME] => /secure-all/index.php
    [PHP_SELF] => /secure-all/index.php
    [REQUEST_TIME_FLOAT] => 1457440035.177
    [REQUEST_TIME] => 1457440035
)

Note that I proxy_pass to Apache so it can compile the PHP. Could that be the problem? On plain Apache (with mod_shib) the variable is set correctly. Here is my vhost conf:

server {
    listen 8080 default_server;
    root /var/www/sp;
    index index.html index.htm index.nginx-debian.html;
    server_name _;

    location / {
            try_files $uri $uri/ =404;
    }

    # FastCGI requester
    location = /shibauthorizer {
            internal;
            include fastcgi_params;
            fastcgi_pass unix:/var/run/shibboleth/shibauthorizer.sock;
    }

    # FastCGI responder
    location = /Shibboleth.sso {
            include fastcgi_params;
            fastcgi_pass unix:/var/run/shibboleth/shibresponder.sock;
    }

    # Resources for Shibboleth error pages
    location /shibboleth-sp {
            alias /usr/share/shibboleth/;
    }

    # Secured locations
    # Completely secured
    location /secure {
            # Generic list of headers to be cleared, to avoid spoofing
            more_clear_input_headers 'Variable-*' 'Shib-*' 'Remote-User' 'REMOTE_USER' 'Auth-Type' 'AUTH_TYPE';

            # Special list of headers to be cleared for specific application
            more_clear_input_headers 'displayName' 'mail' 'persistent-id';

            shib_request /shibauthorizer;

            proxy_pass http://[ip]:8081;
    }
}

[davidjb]

Firstly, if you've made changes to your Shibboleth configuration files, make sure all your services have been restarted -- and ensure that whenever you restart shibd and the shibauthorizer and shibresponder (in that order). I've been left confused a few times by only restarting part of the stack.

Assuming all the parts have the correct config present, then it looks like all of the Shibboleth headers are making it through to your PHP application (eg HTTPSHIB* headers and HTTP_MAIL). I'd firstly suggest checking your attribute-map.xml file for Shibboleth to ensure that the mail attribute is listed and/or uncommented and its ID is correct. I would assume it is, given the presence of HTTP_MAIL, but it's worth checking.

Next, you can check whether your Shibauthorizer is yielding the correct REMOTE_USER header (seen as Variable-REMOTE_USER from a FastCGI authorizer) like so:

location /secure {
    ...
    shib_request_set $shib_remote_user $upstream_http_variable_remote_user;
    proxy_set_header X-TEST $shib_remote_user;
    proxy_pass http://[ip]:8081;
}

This loads the upstream variable from the shibauthorizer response into an Nginx variable in this scope, and then sets that variable to be the header X-TEST before being sent to your backend Apache instance. If you see X-TEST with your expected REMOTE_USER attribute, then this proves that Apache is the issue. If you don't, then check your Shibboleth configuration as there might be something else (perhaps in shibboleth2.xml) that's overriding your REMOTE_USER config. At a hunch though, I suspect Apache or its modules are getting in the way here and either overriding or dropping the REMOTE_USER header.

In either case, you'd be best to consider running PHP under FastCGI so Nginx can talk to it directly (see http://php-fpm.org/ and various tutorials at https://www.nginx.com/resources/wiki/start/). That avoids the extra translation step to Apache, simplifies your stack, reduces memory usage and will speed up your application considerably. You can also gain the benefit of being able to avoid the use of headers (see https://github.com/nginx-shib/nginx-http-shibboleth/tree/development) -- as you can pass environment variables to the PHP FastCGI process through Nginx's configuration.

Debugging this kind of stack is very hard as Shibboleth's FastCGI apps don't log anything irrespective of logging settings, so if you get stuck, try and switch to running PHP under FastCGI and simplify things. If you're still stuck at this point, create a super-simple HTTP proxy (I'd suggest Bottle for Python) and use that as your backend proxy_pass application -- and print out the request headers.

[alex-dot]

First of all: Thank you for your detailed answer. I have seldomly seen so much effort put into answering how to debug such a problem. Kudos!

After installing php-fpm (you are right, I should have done that earlier) everything worked.

I tried to get apache working anyways and for a time I thought that adding include fastcgi.conf would help. Don't know, probably some setting one would have to set in apache.

Oh and extra-kudos for mentioning bottle. ;)

[davidjb]

No problem, glad you could get things working! Documentation improvements are welcome, if there's anything that could be better.

Since you're using FastCGI, you can try out the development branch (with header use disabled by default) and use environment variables only. Feedback welcome too. On Wed, 9 Mar 2016 at 21:58, alex. notifications@github.com wrote:

First of all: Thank you for your detailed answer. I have seldomly seen so much effort put into answering how to debug such a problem. Kudos!

After installing php-fpm (you are right, I should have done that earlier) everything worked.

I tried to get apache working anyways and for a time I thought that adding include fastcgi.conf would help. Don't know, probably some setting one would have to set in apache.

Oh and extra-kudos for mentioning bottle. ;)

— Reply to this email directly or view it on GitHub https://github.com/nginx-shib/nginx-http-shibboleth/issues/12#issuecomment-194262583 .